[forty]

(I work for another password manager company). Your questions are fair but not specific to password managers. All software can be victim of this kind of attacks. People tend to think it's worse when their password manager is compromised rather than another software, but the truth is that a troyan in (say) your text editor can very well be used to compromise your device and steal all your passwords.

But you are right, securing the code base and the CI is a big part of making sure a software is secure.

[forty]

Oh, and I cannot comment for the software you listed specifically, but I would strongly recommend that you update regularly software you use. Even if they don't create any vulnerability in their own code, they probably use some code dependencies, and it's unlikely that there are never vulnerabilities in any of those (and as per my previous comment, this is true of all software, not only password managers)